Jenkins security patches could break plug-ins

Popular open source automation server Jenkins has fixed multiple security vulnerabilities. The latest version changes how plug-ins use build parameters, though, so developers will need to adapt to the new process.

The vulnerabilities affect all previous releases, including the mainline releases up to and including 2.2, and LTS releases up to and including 1.651.1. Administrators should update their Jenkins installations to mainline release Jenkins 2.3 or LTS 1.651.2.

One of the vulnerabilities fixed in this release involves how build parameters in Jenkins are passed to write scripts as environmental variables. Depending on user access permissions and plug-ins on the Jenkins servers, malicious users would be able to trigger builds with arbitrary environment variables and modify the behavior of those builds, the Jenkins security advisory warned. In this situation, jobs could be defined with no parameters, but be built with parameters passed by the plug-ins. Parameters like PATH and DYLD_LIBRARY_PATH could be defined on jobs that didn't expect them, with unexpected results.

Instead of asking plug-in developers to pay attention to potential problems they may encounter, the team decided to update Jenkins to filter build parameters based on what's defined on the job, said R. Tyler Croy, Jenkins project board member and Community Evangelist at CloudBees, which sells a commercial Jenkins platform. Parameters that are not defined on the job are removed.

Developers have to change how they handle parameters in their plug-ins, such as not passing extra arguments and using the new method getAllParameters(), to adapt to this change. Instead of passing arguments, developers can defineQueueAction for the metadata. The getAllParameters method returns all parameters and can be used by EnvironmentContributor extensions to add known safe parameters to build environments.

"I realize this change, among a few others that improve the security of Jenkins, may be difficult to adapt for some, but given the valuable secrets typically stored in Jenkins, I'm certain that this is the correct approach," wrote Daniel Beck, Jenkins software engineer.

The trade-off for fixing that bug within Jenkins was plug-ins that rely on the original behavior would break. Of the 1,100 or so plug-ins available for Jenkins, only four so far have been identified as affected by the update: Gerrit Trigger, GitHub pull request builder plug-in, Matrix Project Plug-in, and Release Plug-in. The GitHub plug-in passes a number of additional parameters describing the pull request.

Organizations can apply the updates, then reverse this specific fix to restore the original behavior by setting the system propertyhudson.model.ParametersAction.keepUndefinedParameters to true. For some environments, this step may be unsafe as the server will be vulnerable to attack.